Cybersecurity Incident: Finastra Investigates Data Theft from Internal Platform
The financial technology company Finastra, which services a significant portion of the banking sector, is currently dealing with a serious security breach involving the theft of confidential information from its internal file transfer system. KrebsOnSecurity has confirmed that over 400 gigabytes of data, allegedly taken from Finastra, is being marketed by cybercriminals. This breach raises urgent concerns, particularly for the 45 largest banks that rely on Finastra’s suite of software and services.
Finastra, headquartered in London and operating in 42 countries, reported revenues of $1.9 billion in the last fiscal year. The firm employs over 7,000 staff and caters to approximately 8,100 financial institutions globally. A core element of its offerings is the management of substantial volumes of digital transactions that include detailed instructions for transfers on behalf of its clients.
On November 8, 2024, Finastra informed its clientele that its security team identified suspicious activity on November 7 involving its file transfer platform. This incident was compounded by claims from threat actors on the dark web who asserted possession of various files stolen from the company.
Finastra’s communication to its customers indicated that, although there was no immediate impact on their operations, the intruder did successfully exfiltrate files containing customer data. The disclosure specified that the attacker did not deploy malware or manipulate any customer files within the environment, suggesting they employed stealthy methods to extract data without raising alarms until their actions were observed.
In an official statement addressing queries about the breach, Finastra expressed commitment to transparency and customer communication during ongoing investigations. The company indicated that initial analyses suggested compromised credentials may have facilitated unauthorized access. Moreover, Finastra is actively disseminating Indicators of Compromise (IOCs) and coordinating with clients’ security teams to provide updates.
Cybercriminals apparently initiated their data auction on BreachForums, with an individual under the alias "abyss0" advertising stolen files belonging to prominent banking clients. An earlier attempt to sell this data on October 31 did not disclose the victim’s identity but alluded to the same banks. The auction itself did not specify pricing, instead instructing interested parties to reach out via Telegram.
Notably, there have been observable shifts in abyss0’s online presence, with accounts on platforms like Telegram and BreachForums apparently suspended or deleted soon after the sales postings. This abrupt digital disappearance raises questions about the circumstances, whether it was due to increased scrutiny or internal choices made by the seller.
In retrospect, the timeline suggests that abyss0 could have gained access to Finastra’s systems well before the first indications of a breach were noted. The criminal community’s behavior and stealth tactics mirror tactics cataloged within the MITRE ATT&CK framework, including initial access via credential compromise and potential persistence mechanisms in accessing the environment.
Finastra’s recent history of security incidents, including a significant ransomware attack in March 2020 that disrupted operations, underscores the evolving nature of cybersecurity threats that organizations in the technological and financial sectors must navigate. The implications of this breach extend beyond immediate operational concerns, highlighting the critical importance of implementing robust security measures and incident response strategies to protect sensitive financial data.
As investigations continue, industry observers and business owners alike will be closely monitoring the situation, especially as more details emerge about the nature and scope of the data involved in this breach. Companies are reminded to remain vigilant against potential cyber threats that can compromise data integrity and customer trust.
